How to bypass SSL based on server certificate
search cancel

How to bypass SSL based on server certificate

book

Article ID: 166297

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In an explicit proxy deployment, policy based on destination URL works because HTTPS traffic from the client to the ProxySG appliance uses the HTTP CONNECT method.  In a transparent proxy deployment, however, policy based on destination URL often does not work because the appliance is only aware of the destination IP. In this case, you must write a rule based on the server certificate to successfully disable authentication. This allows the appliance to see the server certificate during the SSL handshake.

Resolution

The following examples show how to disable SSL interception for example.com traffic using the Visual Policy Manager (VPM) or content policy language (CPL).
 
Disable SSL interception through the VPM:
  1. Log in to the Management Console (https://<IP_address>:8082).
  2. Select Configuration > Policy > Visual Policy Manager. Click Launch.
  3. In the VPM, select Policy > Add SSL Intercept Layer.
  4. Click Add Rule.
  5. Right-click the Destination field and select Set.
  6. Click New and select Server Certificate.
  7. Enter example in the hostname field, select Contains from the drop-down list, and then click OK.
  8. Right-click the Action column, select Set > Disable SSL interception.
  9. Click Install Policy. Your new policy has been installed. 
 
Disable SSL interception through CPL:
  1. Log in to the Management Console (https://<IP_address>:8082).
  2. Select Configuration > Policy > Policy Files > Policy Files
    There is an "Install policy" section where you can install policy from a local file, forward file, and central file.
  3. Select Text Editor from the drop-down list to the right of "Install Local file from".  Click Install.
    If this is a new proxy deployment, your local policy may be blank. If this is an established proxy with local policy, scroll down to the bottom of the data contained in the text editor.
  4. Copy and paste the following CPL:  

    <SSL-Intercept>
    server.certificate.hostname.substring="example" ssl.forward_proxy(no)


  5. Select Install > OK > Close.
  6. Click Apply. Your new policy has been installed.